NL EN

Security & Compliance Framework

1. Executive Summary

Cybersecurity AD operates under a comprehensive security and compliance framework aligned with:

  • EU NIS2 Directive: Advanced cybersecurity standards for critical infrastructure protection
  • Dutch Cybersecuritywet 2026: National implementation of NIS2 with sector-specific requirements
  • GDPR (General Data Protection Regulation): Data protection and processing requirements
  • Dutch Criminal Code (Sv): Investigative standards and evidence requirements
  • NOvA Professional Standards: Attorney-client privilege and confidentiality
  • ISO/IEC 27001: Information security management system

The framework is designed to ensure that while serving criminal defense, the infrastructure maintains the highest standards of security, integrity, and auditability.

2. Risk Management & Assessment

CSAD implements a comprehensive risk management approach aligned with ISO 31000:

  • Risk Identification: Regular assessment of threats to confidentiality, integrity, and availability of case data
  • Risk Evaluation: Probability and impact analysis; prioritization of mitigation efforts
  • Risk Treatment: Implementation of technical and organizational controls
  • Risk Monitoring: Continuous review of risk landscape; adjustment of controls as needed

Key Risks Addressed:

  • Unauthorized Access: Mitigation through authentication (MFA), authorization (role-based), and network segmentation
  • Data Breach: Mitigation through encryption (TLS 1.3, AES-256), access controls, and intrusion detection
  • Insider Threat: Mitigation through background checks, limited privileges, and audit logging
  • Supply Chain Compromise: Mitigation through vendor vetting, code review, and isolated deployment
  • Physical Theft: Mitigation through secure facility controls and full-disk encryption

3. Data Protection & Encryption

Encryption at Rest:

  • Full-disk encryption: All storage devices encrypted with AES-256
  • Database encryption: All case data encrypted at rest using industry-standard algorithms
  • Backup encryption: Encrypted backups stored in isolated, access-controlled locations

Encryption in Transit:

  • TLS 1.3: All client-server communications encrypted with modern TLS standards
  • Mutual Authentication: Server and client mutually verify identity; prevents man-in-the-middle attacks
  • Certificate Pinning: Prevents certificate-based attacks
  • Perfect Forward Secrecy: Past session keys cannot be recovered if long-term keys are compromised

Data Integrity:

  • SHA-512 Hashing: All data verified for integrity; tampering detected instantly
  • Cryptographic Signatures: Data signed to prove authenticity and non-repudiation
  • Write-blocking: All original data marked as read-only; no modifications possible

Critical Guarantee: Data encrypted end-to-end; Cybersecurity AD has no access to decrypted case contents at any point.

4. Access Control & Authentication

Authentication:

  • Multi-Factor Authentication (MFA): Required for all system access; combines password + hardware token or biometrics
  • Strong Passwords: Enforced complexity requirements; regular rotation
  • Session Management: Automatic timeout after inactivity; secure session invalidation on logout

Authorization:

  • Role-Based Access Control (RBAC): Users assigned to roles (analyst, reviewer, admin); each role has specific permissions
  • Principle of Least Privilege: Users given only minimum permissions needed; no default admin access
  • Case-Level Isolation: Users can only access cases they are authorized to work on
  • Segregation of Duties: Data analyst cannot approve reports; requires independent reviewer

Network Access Control:

  • Firewall Rules: All inbound connections restricted; only authorized traffic allowed
  • VPN Requirement: Remote access only via secure VPN with certificate authentication
  • IP Whitelisting: Office networks and approved client locations only

5. Audit Logging & Monitoring

Complete audit trail maintained for all system activities, enabling forensic analysis and compliance verification:

What Is Logged:

  • User Activity: Login/logout, file access, data queries, report generation
  • System Events: Software updates, configuration changes, error conditions
  • Security Events: Failed authentication attempts, unauthorized access attempts, policy violations
  • Data Access: All reads/writes to case data; timestamp, user ID, action type

Log Protection & Retention:

  • Immutable Logging: Logs cannot be modified or deleted (write-once format)
  • Encrypted Storage: Logs stored encrypted and access-controlled
  • Retention Policy: Logs retained for minimum 5 years per compliance requirements
  • Off-site Backup: Duplicate logs stored in isolated secure location

Real-Time Monitoring:

  • SIEM (Security Information & Event Management): Continuous monitoring and alerting for suspicious activity
  • Anomaly Detection: Machine learning detects unusual patterns (unusual access times, bulk downloads, etc.)
  • Incident Response: Automated alerts trigger incident response team for severity level assessment

6. Incident Response & Crisis Management

CSAD maintains a formal Incident Response Plan aligned with ISO 27035:

Detection & Classification:

  • Continuous Monitoring: 24/7 security monitoring for incident detection
  • Classification Matrix: Incidents classified by severity (Critical/High/Medium/Low)
  • Escalation Path: Defined roles and communication procedures based on severity

Incident Response Phases:

  • Containment: Isolate affected systems to prevent spread
  • Investigation: Forensic analysis to determine scope and cause
  • Remediation: Fix vulnerabilities and restore systems to secure state
  • Notification: Inform affected parties per legal requirements (72-hour GDPR rule)
  • Post-Incident Review: Root cause analysis and preventive measures

Business Continuity:

  • Backup & Recovery: Daily encrypted backups; recovery time objective (RTO) of 4 hours
  • Failover Systems: Hot standby systems ready for immediate activation
  • Disaster Recovery Testing: Quarterly DR drills to verify recovery procedures

7. NIS2 Directive Compliance

CSAD infrastructure aligns with the core requirements of the EU NIS2 Directive:

Risk Management (Article 20):

  • Regular risk assessments identifying vulnerabilities
  • Proportionate risk treatment with technical and organizational controls
  • Continuous monitoring and reassessment of security posture

Incident Management (Article 21):

  • Formal incident detection and response procedures
  • Incident classification and severity assessment
  • Mandatory notification to relevant authorities within legal timeframes
  • Post-incident review and continuous improvement

Supply Chain Security (Article 23):

  • Vendor assessment and security requirements
  • Code review and vulnerability scanning
  • Software supply chain integrity verification
  • Regular security audits of dependencies

Cryptographic Measures (Article 24):

  • Advanced encryption standards (AES-256, TLS 1.3) for data protection
  • Regular cryptographic key rotation
  • Post-quantum cryptography roadmap for future readiness

Personnel & Governance (Articles 25-26):

  • Background checks for all staff with system access
  • Annual security awareness training for all personnel
  • Designated Chief Information Security Officer (CISO)
  • Board-level oversight of cybersecurity strategy

8. GDPR Compliance

CSAD processes case data as a processor under GDPR Article 28, with strict data protection obligations:

Data Processing Agreement:

  • Signed Data Processing Agreement (DPA) with all clients
  • Clear definition of processing scope, purpose, and legal basis
  • Itemized list of processing instructions and compliance obligations

Data Subject Rights:

  • Access: Subject can request copy of their data; CSAD provides within 30 days
  • Rectification: Inaccurate data corrected upon request
  • Erasure: Data deleted upon request (subject to legal holds)
  • Portability: Data provided in portable format for transfer to other processors

Breach Notification:

  • Breach detected and reported to Data Controller within 72 hours
  • Investigation determines scope and impact
  • Controller notifies Data Subjects if high risk to rights/freedoms
  • National authority notified if required

9. Dutch Criminal Code (Sv) Compliance

CSAD infrastructure supports compliance with Dutch Criminal Code investigative and evidence standards:

Chain of Custody:

  • Complete documentation of every person/system accessing evidence
  • Timestamps recorded for all access and processing steps
  • Write-blocking prevents unauthorized modification of original evidence
  • Hash verification confirms data integrity before and after processing

Article 359a Sv (Evidence Exclusion Support):

  • Technical analysis documents for supporting exclusion arguments
  • Procedural violation detection (unauthorized access, hash mismatches)
  • Reproducibility verification to challenge forensic analysis methods

Privilege & Confidentiality:

  • Full attorney-client privilege maintained for all case data and communications
  • No disclosure to prosecution or other unauthorized parties
  • Beroepsgeheim (professional secrecy) respected for all service users

10. External Audit & Certification

CSAD infrastructure undergoes regular independent security audits:

Annual Security Audit:

  • Independent third-party penetration testing by certified security professionals
  • Vulnerability scanning and remediation verification
  • Code review focusing on security vulnerabilities and cryptographic integrity

Compliance Certification:

  • ISO/IEC 27001: Information Security Management System certification
  • SOC 2 Type II: Security, availability, processing integrity, confidentiality, and privacy audit
  • NIS2 Compliance Assessment: Annual review by independent auditor

Audit Reports:

  • Audit findings documented and tracked to resolution
  • Remediation work verified by independent reviewer before closure
  • Summary reports provided to stakeholders (clients, regulatory bodies, board)

Contact & Governance

Chief Information Security Officer (CISO): P.W. Oldenburger
Email: security@cybersecurityad.nl
Address: Sint Olofssteeg 4 C, 1012AK Amsterdam, Netherlands
Security Hotline: Available 24/7 for incident reporting

This framework is reviewed and updated annually. Last updated: February 5, 2026